Linux Firewall

3 min readJun 12, 2023

A firewall is a filter for network packets coming into and going out of your (Linux) computer. You can use it to specify what packets are allowed in and out.

A firewall should be running when your computer is connected to the network (local area network or internet). This is one of the first lines of defence to keep hackers (crackers) out.

A firewall is a network packet filter that allows or denies communications on specific TCP ports or from specific IP addresses or types of communication on specific interfaces.

What is a Linux Firewall?

A Linux firewall is a device that inspects Network traffic ( Inbound /Outbound connections ) and makes a decision to pass or filter out the traffic. Iptables is a CLI tool for managing firewall rules on a Linux machine.

What are iptables? How does it work?

Iptables is a CLI ( Command-line interface ) application that allows the administrator to configure specific rules that will enforce the Linux kernel ( Netfilter framework) to perform an action such as inspect, modify or drop network packets. Enabling these Iptables in any Linux machine or device will be acting as a Network Firewall and/or a router.

Different kernel modules and programs are used for different protocols; IPtables apply to IPv4, ip6tables to IPv6, arp tables to ARP, and ebtables to Ethernet frames.

Later Netfilter Project developed Nftables for performance and scalability. This is a packet filtering framework that does the same work as Iptables.

How Does Packet Filtering Work with Iptables?

An iptables policy is built with an ordered set of rules, which describe to the kernel the actions that should be taken against certain types of packets.

NAT Table:

Network Address Translation ( NAT ) is processed for incoming packets and outgoing packets with routing decisions in the table.
Network Routing is processed with Pre-routing and Post-routing of packets from origination to destination.

Packet Filtering Table:

Packet filtering is processed with the below chain rules.

Chains:

Chains are classified into 3 types INPUT CHAIN, OUTPUT CHAIN & FORWARD CHAIN.
Input Chain — Incoming connections which are traversed from Prerouting. Example: External IP trying to establish an SSH connection on your system.
Output Chain- Packets that are passed or outgoing connections from your system. Example: If you’re trying to visit cybersecuritynews.com, user traffic is verified in the chain rule to allow or deny the connection.
Forward Chain — Forwarding connections to specific networks or ports.Example: Port Forwarding.

Mangle table

The mangle table can be used for special-purpose processing of packets.
It includes a combination of NAT Tables & Chains.

Every iptables rule has a set of matches that tells the iptables what to do with a packet.

source (-s) source IP address or network
destination (-d) Destination IP address or network
protocol (-p) IP value
in-interface (-i) Input interface (e.g., eth0)
out-interface (-o) Output interface
state connection states
string sequence of application layer data bytes

Target:

ACCEPT — Allows a packet. ( Accept the incoming/outgoing connection )
DROP — Drops a packet. ( Drop the connections )
LOG — Logs a packet to Syslog. ( Log the connection status for network monitoring, TCP Built/teardown )
REJECT — Drops a packet and sends an appropriate response packet (TCP Reset or an ICMP Port Unreachable message).
RETURN- Continues processing a packet within the calling chain.